SQL Homework – August 2021 – Security Standards


August 3, 2021 by Kenneth Fisher

A few years back (wow time flies) I had you Work with Security. It’s been a while so if you aren’t completely comfortable with how SQL Server security works you might take a look and run through that particular homework. This month it’s going to be related.

This month I want you to put some thought into a security standards document. Who is allowed to do what work in which environment (dev, test, prod for example)? What type of connections are allowed, which aren’t?

Note: This is an open book assignment. Feel free to use the web to find other examples of this, if you have a security standards document at work feel free to use it is a reference. That said, no copying. I want this to be an original document.

Things to think about:

  • Can a developer have sysadmin in an development environment? DBO? What permissions need to be specifically excluded? How about your QA team? What permissions do they need to do their job? What environments are they going to connect to to do this work? What other groups do you have in your company and what permissions do they need to get their job done?
  • SQL Server Ids vs Active Directory?
  • Naming standards for service accounts? Do you care? You could follow the standards the AD team is using?
  • Do passwords (for SQL Server Ids) expire? Again, you could follow the standards of the AD team?
  • Speaking of passwords, who is responsible for them? You? The owner of the Id? How do you document who owns the Id?
  • Is there an exception process? I’ve actually seen a product that did, in fact, require sysadmin for their product to work. And it was Microsoft’s fault. Most of the time you don’t want to give a service account sysadmin so if that’s the case what type of documentation is required to get around the standards, if any?
  • How about approvals and documentation for regular permissions requests?
  • What else can you think of?

One thought on “SQL Homework – August 2021 – Security Standards

  1. […] month I had you create a security standards document. This month we are going to document our recovery plan. Yes, recovery plan. There is no point in […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,753 other subscribers

Follow me on Twitter

ToadWorld Pro of the Month November 2013
%d bloggers like this: